Or to make it cleaner and simpler, let the user roam to the AP's freely, and get an ip address. But do not allow them to do anything until they create a client vpn to the firewall. At which time the firewall will know there ip address and will setup all the rules for there acess through the vpn policy. This way you can integrate your radius users into the firewall setup for there authentication, and do not have to use custom scripts. Also if you use a secure client that allows you to push access-lists to the client you can then add and remove access-lists for the client on the fly without touching the machines. Plus not to mention if you have more than one AP in your environment people can roam AP's without having to reauthenticate everytime, and lose connectivity because there authentication is pushed back a layer.
Tre "Just cause it's secure doesn't mean it has to be a pain in the butt!!!" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Tuesday, January 27, 2004 8:40 AM To: [EMAIL PROTECTED] Subject: Re: 802.1x Dynamic IP: Use rlm_ippol or DHCP? (Dynamic Traffic Shaping / Firewall) "George Heeres" <[EMAIL PROTECTED]> wrote: > I'm planning on my access points running in routing mode instead of > bridged mode which will allow each antenna to have it's own subnet. > User's will be authenticated via 802.1x with FreeRadius against an LDAP > data source. Upon authentication, I'll use iptables to setup accounting > and punch holes in the firewall based on the IP address. A firewall isn't really necessary. The AP already forbids anyone to use the network until they authenticate. And once they authenticate, it shouldn't matter which IP they get. > For simplicity, I'm just using the users file to get things working > and tested without worrying about incorrect LDAP queries, parameters, > etc. That's the best approach. > I have the 802.1x authentication working, however I'm stuck trying > to determine how to handle the IP address allocation. Two options that > I am aware of include: DHCP server or internally managed IP Pools with > FreeRadius. I think your only option is DHCP. The AP won't use any IP sent to it by FreeRADIUS. > The problem I'm having is during a DHCP request I don't know much > about the request except for a MAC address. Since all the > authentication has already taken place via FreeRadius... I don't > have any of the necessary information to dynamically setup the > iptables firewall / traffic shaping? Who is this person? What speed > should they be?, etc.? You'll have to find a way to make the firewall communicate with FreeRADIUS (or the otehr way around). Maybe an external script, to send the firewall the MAC address & user information... > Is it possible to use the ippool module with EAP? It's not possible to assign IP addresses via EAP. > Before I hurt myself and code the DHCP extensions, does anyone know > what I might be doing wrong with the rlm_ippool module and / or user > settings. Or is there some other alternative that I haven't considered? > If I can avoid having to dust off the C programming manual, that would > be great. Shell scripts. FreeRADIUS knows who the user is, and may also know the MAC address. So use a shell script in FreeRADIUS to send that information to the firewall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html